It’s not very often that the subject of data recovery becomes mainstream news, and typically when represented in movies or television, it is so grossly exaggerated and unrealistic, as to almost be laughable. Having specialized in recovering data from a wide variety of storage devices for well over a decade, it’s nice to be able to chime in on topics related to this field from time to time.
The case with former IRS official Lois Lerner, is the hot topic of the day. Ms. Lerner’s hard drive crashed, and it was thought to have contained pertinent email related to an ongoing investigation. There are many false beliefs with regard to hard drives and how data can be recovered from them. There is this idea that at the government level they have special machines and technology that can recover data from any type of situation, but that is simply not shown to be the case. Believe it or not, there are limitations. And no matter what the qualifications or experience of the provider, if the damage is severe enough, the data simply cannot be recovered at all…by anyone.
Let me preface this by saying, this article is not politically motivated in any way, shape or form. This is not a defense of any accusations made against Ms. Lerner, nor is it meant to be a condemnation of her with regard to the condition of the drive or what could have, or should have been done. This is simply a statement of facts about how hard drives work that is meant to disseminate reality from fiction when it comes to how delicate they are, and what can and cannot be done when recovering data from them.
Was Data Recovery Possible From Lois Lerner’s Hard Drive?
Based on the information contained within this report by the House Oversight Committee, it is obvious by the description of John Minsek, a senior investigative analyst with the IRS Criminal Investigations unit, that there was noticeable damage to at least one of the hard drive platters. It seems as though some in the media are wondering if that damage was intentional. Actually Mr. Minsek’s description is very typical of hard drive that has suffered a head failure. It is sometimes described as a head crash. Depending on the size of the drive, the manufacturer, how many platters it contained and the location of the scored area, it is entirely possible the data was unrecoverable.
Mr. Minsek noted: “well-defined scoring creating a concentric circle in the proximity of the center of the disk.” The location of the scoring is important. All hard drives have a System Area, which is a hidden portion of the drive with very basic, command driven software, that controls the drive’s operation. It logs defects, monitors drive health, and works like a mini operating system for the actual hard drive. It is for the most part, completely inaccessible to the end user. It is however, absolutely critical for accessing data. In many laptop hard drives the system area is located toward the middle of the platter…exactly where Mr. Minsek described.
The hard drive pictured above shows what appears to be just a relatively small amount of damage, but it is the location of the damage that can be critical when it comes to accessing data. If the damage falls within the portion of the platter that contains the system area, then no amount of recovery work will gain access to the data.
With Such Minimal Damage Why Couldn’t The Data Be Recovered?
Well, without knowing exactly what efforts were made to physically repair the drive, it’s hard to say. We can only guess. However, it is quite plausible that even the most skilled data recovery technicians would be unable to recover the data if the platter was scored, even a small amount. Again, it comes down to location first of all, and then you also have the issue of how severe the scoring was. Even if the system area of the drive was perfectly intact, there could still be the potential for the data to be unrecoverable…even with minimal scoring. The inside of a hard drive looks similar to a record player. The heads are like the needle, and the platter is like the record. Unlike a record player, the heads do not touch the platter during normal operation. As the platter spins at 7200RPM (5400RPM in some hard drives), it creates positive air pressure. The head assembly has what is known as a “slider” at the tip. This slider acts almost like a wing, and the rotation of the platter, coupled with the air flow it creates, causes the heads to float on a cushion of air sometimes referred to as an air bearing.
The distance the heads float above the platter is called the “flying height”. Now the flying height is not measured in millimeters or even micrometers; it is measured in nanometers. The head assembly only floats about 5 to 8 nanometers above the platter in most modern hard drives. The higher the capacity, typically the lower the flying height. To put this into perspective, a single strand of DNA is only about 2.5 nanometers wide. A single bacterium is about 2,500 nanometers long. A fingerprint is about 12,000 nanometers high. A strand of hair is about 80,000 nanometers thick.
So why the emphasis on the flying height? Because any imperfections, especially scored areas of the platter, can impact the replacement heads. As the heads sweep across the platter they will almost certainly contact the damaged area, rendering the replacement heads damaged as well. Since the heads float so close the platter surface, any scoring of the platter would create huge obstacles for the heads to pass over. These imperfections in the scored area of the platter would be like trying to move Mt. Everest under a highway overpass. It’s not going to happen without wreaking some major havoc.
You get the scored rings as the drive continues normal operation with areas of the head assembly contacting the platter surface as it rotates. It works like a small grinder, scratching away the ferromagnetic coating. If you allow the drive to continue to operate, you have more and more debris floating around inside the drive, causing even more damage on the other platters as it gets trapped underneath those heads as well. The damage would eventually cascade to a point where all of the platter surfaces would have some damage to them.
We often get asked, “can’t data be recovered no matter how badly damaged the platters are?” This is another myth that is propagated, but it is not reality. The fact is, your data is stored in a very thin coat of ferromagnetic material on the platter surface. You can actually read more about how this works by clicking this link. When that material is scratched off the drive platter, there is no way to bring it back…ever. Imagine writing your name on a piece of wood, and then sanding it off. There is no way you can bring that back to it’s original state.
Was Ms. Lerner’s Hard Drive Intentionally Damaged?
Obviously we cannot answer that question, but it is a question being raised in the media. Based on the description of the damage by Mr. Minsek, it doesn’t seem like it was the result of intentional damage. A hard drive doesn’t need to suffer an impact to fail. The majority of the recovery work we do, comes from clients who have no idea what happened. We’ve had hard drives that were literally just sitting on a desk working fine one minute, and the next minute they were clicking and there was enough damage to render them unrecoverable. It does happen for no real measurable reason at all. The damage described in the House Oversight Committee report is very common when head failures occur. Could it be the result of the laptop being dropped on purpose? Yes, it could be…but it would be impossible to prove. For as delicate as hard drives are, they can take a pretty good beating and still be recoverable.
Take the example pictured below…
We did this recovery a year or so ago. These laptops were thrown from a vehicle during a horrendous auto accident, and ended up wedged between two semi’s that had collided. Even with such a massive impact, the damage to the platters was minimal, and all of the important data the customer needed, was recovered. This isn’t being used to hype our expertise, but rather to show you how much damage a hard drive can withstand and still be recoverable. Hard drives are odd. Some of them, you are absolutely sure they can be recovered, and you can’t get a single sector off the drive. Others, you think there’s just no way it can be recovered and you get a full recovery. To get the nice, concentric ring of damage on the platter surface as Mr. Minsek described, is almost always going to be a result of just a physical failure of the drive. A component of the head assembly failing and contacting the platter.
Couldn’t The FBI Have Just Pulled Out The Good Platters And Read Those?
Short answer…no. Platters are not like CD’s. The way a hard drive operates, prevents the data from being read from the platters individually. The technology to do that does exist to an extent, but it is built around A specific model of A specific brand drive. The capabilities of any good data recovery company is going to be at least equal to, and most likely would even exceed that of any government agency.
Facts Of The Case
1. We know the platter was damaged.
We aren’t trying to be funny, but that is really the only fact we know for sure based on the technicians report. Anything else is just a guess. We have no way of knowing if the damage was intentional, and based on the description it is doubtful that it was. We have no way of knowing if it could have been recovered by anyone outside of the technicians who actually worked on it, becaus that option was never exercised. Anything else is simply supposition.
Our Theory On What Happened To Lois Lerner’s Hard Drive
Based on what was written in the report, it seems like the hard drive simply suffered a mechanical failure. If we had to guess, the symptoms probably started off where the computer acted a little odd. Possibly to a point where it’s performance was noticeably slower. You can actually have a head failure and not realize it at first. An area of the head assembly may lightly touch the platter, but the drive still functions…albeit in a degraded state. Anytime the drive accesses the platter with the failing head, the performance would become drastically slower if that head is degraded. As the drive continues to operate, areas of the platter with the failing head receive more and more damage. The damage compounds itself, eventually causing the head to fail completely, and at that point the data would be inaccessible to the end user. After that, the hard drive probably made repetitive clicking sounds at boot up.
Anything else with regard to this case…other possible locations the data could have been stored, etc….are not relevant to what we do and are quite frankly, beyond our scope of expertise. We strictly focus on hard drive recovery and nothing more and just wanted to share some insight into these devices.